Skip to main content
Skip table of contents

MS Windows Event Logging XML - Application

Device Details

Device NameMS Windows Event Logging XML - Application



Device Type


Supported Model Name/Number


Supported Software Version(s)


Collection Method

MS Windows Event Logging

Configurable Log Output?


Log Source Type


Log Processing Policy

LogRhythm Default



Additional Information

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)


Product Version

Supported Schema Fields

Catch All : Application MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>, <object>
Catch All : Crypto API MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <session>,<object>, <hash>
Catch All : ESENT MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<processid>
Catch All : Level 2 2N/A<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>, <session>
Catch All : Level 3N/A<process>, <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <object>, <sip>
Catch All : MsiInstaller MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid>
Catch All : MSSQLSERVER MessagesN/A<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <command>, <action>, <reason>, <tag1>, <tag2>
Catch All : Outlook MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>, <object>
Catch All : Service OptimizationN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <session>, <process>, <processid>, <status>
Catch All : SQLVDI MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>
Catch All : SQLWRITER MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>
Catch All - Symantec AntiVirusN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <object>, <objectname>, <objecttype>, <command>, <parentprocesspath>
Catch All : System Restore MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid>, <command>, <action>
Catch All : Trend Micro OfficeScan ServerN/A

<vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<session>, <process>, <processid>, <subject>

Catch All : VSS MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>
Catch All : Windows Error Reporting MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>, <subject>, <object>
Catch All : WSUS MessagesN/A<vmid>, <vendorinfo>, <severity>, <dname>
Certificate Services Client : Cert EnrollmentN/A<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <group>, <object>
EVID 1 : CVE MessagesN/A

<vmid>, <severity>, <dname>, <account>, <processid>, <object>, <cve>, <tag1>

EVID 3 : System Service Model ExceptionN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>,<subject>, <object>
EVID 1000 : Application FaultN/A<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object>
EVID 1002 : Application HangN/A<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object>
EVID 1008 : Microsoft-Windows-PerflibN/A

<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<object>, <objectname>, <threatid>, <bytesin>

EVID 1026 : Net Process Terminated Unhandled ExcpN/A<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>
EVID 1040 & 1042 : MsiInstallerN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <object>, <process>, <processid>
EVID 1309 : ASP.NET Request AbortedN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>, <processid>, <object>, <tag1>
EVID 1530 : Registry Key Still In UseN/A<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <quantity>, <process>, <object>
EVID 2004 : Microsoft-Windows-PerfNetN/A

<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<threatid>

EVID 4609 : COM+ Event System Bad Return CodeN/A<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <object>, <objectname>, <subject>
EVID 5605 : Microsoft-Windows-WMIN/A

<vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<processid>, <version>

EVID 33205 : SQL Audit EventN/A

<vendorinfo>, <vmid>, <severity>, <sname>, <quantity>, <tag1>, <result>,<sessiontype>, <session>, <tag2>, <login>, <tag3>, <account>, <dname>,<object>, <group>, <objectname>

LogRhythm DiagnosticsN/A<vmid>, <sip>, <sport>, <dname>, <object>, <objectname>, <rate>, <tag1>,<tag2>, <tag3>
LogRhythm KB Admin ServiceN/A<vendorinfo>, <vmid>, <severity>, <dname>,<object>, <objectname>
MailMarshal MessagesN/A

<vendorinfo>, <vmid>, <severity>, <sname>, <dname>, <session>, <object>,<subject>, <version>

MsiInstaller : Installer Close MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <subject>, <object>
MsiInstaller Messages 1N/A<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <version>
MS Windows Log MessagesN/A<vendorinfo>, <vmid>, <severity>, <dname>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <version>, <useragent>

Revision History

KB Version

Log Type

Change Type


KB 7.1.598.0N/AParsing Improvement and DocumentationN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.